1. Field of the Invention
The present invention relates generally to the field of network communication systems and, more particularly to security systems for use with network communication systems.
2. Related Art
A set of inter-connected computer networks that spans a relatively large geographical area is called a wide area network (WAN). Typically, a WAN consists of two or more local-area networks (LANs) that are themselves interconnected. Computers connected to a WAN are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites. The largest and best known WAN in existence is the Internet.
The Internet is a public, world-wide WAN defined by the IP (Internet Protocol) suite of protocols, which has in recent years gone from being a tool used primarily in scientific and military fields to become an important part of the missions of a wide variety of organizations, including commercial organizations. Organizations often run one or more LANs and connect their LANs to the Internet to share information with other remotely located organization-run LAN, and with the cyber world in general. However, along with providing new levels of connectivity and sources of information, connection to the Internet or to a private WAN has brought security risks in the form of adversaries seeking to disrupt or infiltrate the organization's mission by interfering with or monitoring the organizations' networks.
Several security devices that exist today are designed to keep external adversaries from obtaining access to a LAN. Firewalls, for example, protect the LAN against unauthorized access by allowing only communications data (commonly called datagrams or “packets”) from known machines to pass. This is accomplished by monitoring network IP addresses on these packets, which correspond uniquely to a particular machine, and TCP service ports, which usually map into a specific type of software application such as mail, ftp, http and the like. The firewall then determines whether to allow or disallow entry of the packet into the LAN as it deems appropriate.
Virtual Private Network (VPN) and other Internet Protocol Security (IPsec) devices protect against unauthorized interception of transmitted data by encrypting the entire packet. For example, a VPN (in tunnel mode) wraps outgoing datagrams with its own header and sends the encrypted packet to a destination VPN. A limitation of VPNs, however, is that adversaries can determine where the VPN devices are located in the network, since each VPN has a specific IP address. Accordingly, a VPN does not hide its location in the network, and is therefore vulnerable to an attack once its location is known. Similarly, other security technology, such as configured routers, Secure Socket Layer (SSL) and host-based Internet Protocol Security (IPsec) fail to obscure the location of nodes inside a network.
Although conventional security techniques are generally good for some of their intended purposes, they do not address the problem of detecting intrusion attempts against the network. To alert against possible intrusion attempts, network administrators have turned to intrusion detection sensing (IDS) technology. IDS technology is used to ascertain the level of adversary activity on the LAN and to monitor the effectiveness of other security devices, such as those discussed above. IDS products work by looking for patterns of known attack, including network probes, specific sequences of packets representing attacks (called known intrusion patterns, or KIPs), and the like. An administrator uses IDS technology primarily to determine the occurrence of any adversarial activity, information useful in evaluating the effectiveness of current security technology and justifying additional commitment to network security.
In addition to protecting transmitted data, an organization may wish to prevent unauthorized parties from knowing the topology of their LANs. Existing security techniques do not completely secure a network from adversaries who employ traffic mapping analysis. Data packets exchanged across networks carry not only critical application data, but also contain information that can be used to identify machines involved in the transactions.
Today's sophisticated adversaries employ network-level “sniffers” to monitor passively freely transmitted network traffic and thereby gather critical network topology information, including the identities of machines sending and receiving data and the intermediate security devices that forward the data. The sophisticated adversary can use this identity information to map internal network topologies and identify critical elements such as: roles of the servers, clients and security devices on the network, classes of data associated with specific servers, and relative mission importance of specific machines based on network traffic load. The adversary can then use this network map information to plan a well-structured, network-based attack.
Network security techniques have been developed that addresses this problem by concealing the identities of machines and topology in the LAN. Such technology was developed by the assignee of the present application, and is described in U.S. patent application Ser. No. 09/594,100, entitled Method and Apparatus for Dynamic Mapping (DYNAT), Ser. No. 09/927,671, entitled Method and Apparatus for Providing Adaptive Self-Synchronized Dynamic Address Translation (ASD), Ser. No. 09/928,133, entitled Method And Apparatus For Providing Adaptive Self-Synchronized Dynamic Address Translation As An Intrusion Detection Sensor, and Ser. No. 09/927,979, entitled Sliding Scale Adaptive Self-Synchronized Dynamic Address Translation, each of which is hereby incorporated by reference.
Both the DYNAT and ASD techniques can hide machine identities on, for example, IP data packets, by translating source and destination addresses just prior to transmitting them over the Internet. When packets arrive at an authorized destination, a receiving device programmed with the techniques restores the source and destination addresses (according to a negotiated scheme) and forwards the packets to the appropriate host on its LAN.
These techniques can perform direct translation of specific fields in the IP portion of the packet as well as in the transport/session layer. The specific fields are summarized in FIG. 1. Thus, it can be seen that these techniques obfuscate the identities in routable packets.
While the above techniques represent a significant advancement in the field of network security, there exists a need for a method of concealing the identities of LAN machines and topology. There also exists a need for methodologies that thwart address-based traffic analytic attacks within the local subnet. This additional security would make existing network security systems more robust and more difficult to defeat. The technique should ideally allow for construction of network access devices, such as routers, that offer the benefits of DYNAT and ASD to protect an enclave of computers. In addition, these devices should be flexible enough to be self-discovering, able to negotiate mapping parameters with one another on a need-based, authorized basis.